5 Audit Trail and Node Authentication (ATNA) Abstract / ScopeDefines basic security features for an individual system for use as part of the security and privacy environment for a healthcare enterprise.Extends the IHE radiology oriented Basic Security profile (defined in 2002) to be applicable to other healthcare uses.Provides host level authentication, which is used in conjunction with the user authentication from EUA and XUA.June 28-29, 2005Interoperability Strategy Workshop

6 ATNA Value PropositionProtect Patient Privacy and System Security:Meet ethical and regulatory requirementsEnterprise Administrative Convenience:Unified and uniform auditing systemCommon approach from multiple vendors simplifies definition of enterprise policies and protocols.Common approach simplifies administrationDevelopment and support cost reduction through Code Re-use:Allows vendors to leverage single development effort to support multiple actorsAllows a single development effort to support the needs of different security policies and regulatory environments.June 28-29, 2005Interoperability Strategy Workshop

7 ATNA Security RequirementsReasons: Clinical Use and Privacyauthorized persons must have access to medical data of patients, and the information must not be disclosed otherwise.Unauthorized persons should not be able to interfere with operations or modify dataBy means of procedures and security mechanisms, guarantee:ConfidentialityIntegrityAvailabilityAuthenticityJune 28-29, 2005Interoperability Strategy Workshop

9 ATNA Security MeasuresAccountability and Audit trail: Establish historical record of user’s or system actions over period of time, answers question: “What have you done?”ATNA Defines: Audit message format and transport protocolJune 28-29, 2005Interoperability Strategy Workshop

12 ATNA Suitable Network EnvironmentsPhysically secured networksExplicit physical security preventing access by other nodes, orVPN and VLAN technologies that provide equivalent network isolation.Protected networksPhysical security that prevents modification or installation of unauthorized equipmentThe network is shared with other authorized nodes within the enterprise that should not have unrestricted access to patient information.Unprotected networksNot generally supported, although nodes with sufficient node level security and using encryption may be safe.June 28-29, 2005Interoperability Strategy Workshop

13 Interoperability Strategy WorkshopATNA Node SecurityATNA specifies some of the capabilities that are needed, e.g. access control.ATNA does not specify policiesATNA does not specify mechanisms, although other IHE protocols like EUA are obvious candidates.This permits vendors and enterprises to select technologies and policies that are appropriate to their own purposes without conflicting with the ATNA profile.June 28-29, 2005Interoperability Strategy Workshop

15 Why node authentication?Many systems are shared access, e.g. CT systems, where the machine identity is more important than the operator’s identity for security purposes.A CT operator is only permitted to update CT records from a CT system.Some systems operate autonomously, e.g. PACS archive.Knowing identity of the PACS administrator on duty is not useful when monitoring PACS activity. There might be nobody logged in.Machine access is usually controlled by the site administration.Even authorized users are not permitted to use personal machines.June 28-29, 2005Interoperability Strategy Workshop

21 What it takes to be a secure nodeThe entire host must be secured, not just individual actors.The entire host must have appropriate user access controls for identification, authentication, and authorization.All communications that convey protected information must be authenticated and protected from interception. This means every protocol, not just the IHE transactions.All health information activities should generate audit trails, not just the IHE actors.June 28-29, 2005Interoperability Strategy Workshop

22 What it takes to be a secure nodeThe Secure node is not a simple add-on of an auditing capability. The complete work effort includes:Instrumenting all applications to detect auditable events and generate audit messages.Ensuring that all communications connections are protected.Establishing a local security mechanism to protect all local resources.Establishing configuration mechanisms for:Time synchronization using Consistent Time (CT) profileCertificate managementNetwork configurationImplement the audit logging facilityJune 28-29, 2005Interoperability Strategy Workshop

23 Interoperability Strategy WorkshopConsistent Time (CT)Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronizationActor must support manual configurationRequired accuracy: 1 secondOptionally Secure NTP may be usedRequired for use of ATNA, EUA, XUAJune 28-29, 2005Interoperability Strategy Workshop